Last modified: Thursday, 4 September 2025

AESA processing activities

1. Promotion activity

Purposes of processing:

Registration and participation in the promotion activities of AESA and its dissemination.

Sending institutional information.

Sending newsletters related to the activity of AESA.

Management of collaboration instruments (agreements and protocols).

Legal basis:

GDPR: 6.1.a) The data subject consented to the processing of his or her personal data for one or more specific purposes.

GDPR: 6.1.b) Processing necessary for the execution of a contract to which the interested person is a party or for the application at the request of the latter of pre-contractual measures.

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Law 21/2003 of 7 July 2003 on Air Safety.

Law 38/2003, of 17 November, General Subsidies.

Law 40/2015, of 1 October, on the Legal Regime of the Public Sector.

Law 34/2002, of 11 July, on information society services and electronic commerce.

Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights.

Collectives:

Participants, attendees and interested in the calls for awards, events and initiatives organized and promoted by AESA.

People interested in the activities and information of AESA.

People who sign the conventions and protocols in which AESA participates.

Data Category:

Name and surname, ID / NIF / Identification document, address, signature, telephone, sector of activity.

Participants in prizes: photograph, the entity they represent, if any.

Participants in prizes that carry economic remuneration: bank details.

Participants in agreements: entity they represent.

Attendees at the events organised by AESA: voice and image.

Category of Recipients:

Participants in the calls for prizes:

The names and surnames of the winners will be public in accordance with Law 19/2013, of December 9, on Transparency, Access to Public Information and Good Governance, and will be accessible through the AESA Website and AESA social networks.

The personal data of the winners in the prizes that carry economic remuneration will be communicated to the financial institutions, State Agency of the Tax Administration, General Intervention of the State Administration, Court of Auditors.

The personal data of the persons signing agreements may be communicated to the General State Audit Office and the Court of Auditors.

Attendees at the events organised by AESA: the generated video may be published on AESA's social networks.

International transfers:

No international data transfers are foreseen with the exception of participation as a speaker in those promotional activities that indicate that the data will be transferred to ICAO for wider dissemination. This transfer is based on an adequacy decision. ICAO, as the recipient of the data, is located in a country that has been declared an adequate level of protection by the European Commission: Canada. Commission Decision 2002/2/EC of 20 December 2001.

Deletion period:

The personal data of the participants in prizes will be kept during the processing of the award procedure. The economic data will be kept under the provisions of Law 58/2003, of December 17, General Taxation, and the regulations of archives and documentation.

The personal data of persons interested in receiving institutional information will be kept in the system indefinitely as long as the person concerned does not request its deletion.

The personal data of persons registered in general activities will be deleted when they have ended.

The personal data of persons registered in activities aimed at specific sectors of activity or professionals will be kept in the system indefinitely as long as the person concerned does not request their deletion.

The personal data of persons signing on behalf of entities entering into agreements with the Agency shall be kept in the system indefinitely. The provisions of the archives and documentation regulations shall apply.

The videos generated in the events organized by AESA will be kept indefinitely as long as they remain valid as an activity to promote the fundamental right to the protection of personal data.

Security measures:

The security measures implemented correspond to those provided for in Annex II (Security Measures) of Royal Decree 311/2022, of 3 May, regulating the National Security Scheme, and which are described in the documents that make up the Agency's Data Protection and Information Security Policy.

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

You can request access, rectification, deletion, opposition or limitation of the processing of personal data in the event that the requirements established in the General Data Protection Regulation are met, as well as in Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights, as indicated in the section "Exercise of the rights of the interested parties" of the "Privacy Policy and legal notice".

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

2. Accident analysis

Purposes of processing:

Request for information and collection of this information to be sent to CIAIAC in response to your request in the field of investigation of accidents or serious incidents. This information may contain medical, personal, aircraft, licensing, etc. data.

Response to CIAIAC recommendations and draft reports sent to EASA after coordination with the other directorates concerned.

Legal basis:

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Law 1/2011 State Operational Safety Programme for Civil Aviation.

Regulation (EU) 996/2010 investigation and prevention of civil aviation accidents and incidents.

Collectives:

Holders or applicants of pilot license, ATS operator, maintenance technicians or TCP certificate under the authority of AESA.

Data Category:

Identification data: name, ID/ID, telephone number, postal address, e-mail address, digital signature, nationality, date and place of birth and, where applicable, details of your representative; General personal data (labor): job within an organisation; Academics: training carried out, duration of the training, training centre where the training is carried out, level of achievement and qualifications, instructors and other information of a training nature.

Data of a criminal nature, when required by applicable regulations.

General criminal record.

Special categories of personal data: Exceed or not of psychophysical recognition to exercise the tasks granted by your license or certificate.

Health-related (data related to the physical or mental health of the person; diseases, injuries, results of medical tests and examinations).

Category of Recipients:

Data is transmitted to CIAIAC or other aviation accident investigation authorities for accident investigation when requested under legal requirement to do so. All types of information are included as long as it conforms to what is necessary for the investigation.

International transfers:

Data are transmitted to investigating authorities for accident investigation when requested under legal requirement to do so. All types of information are included as long as it conforms to what is necessary for the investigation.

Deletion period:

The personal data will be kept for the time necessary to fulfill the purpose for which it has been collected and to determine the possible responsibilities that may arise from said purpose and the processing of the data. The regulations on Spanish archives and documentary heritage will apply.

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

3. Risk analysis

Purposes of processing:

Follow-up of events of particular relevance, preparation of risk analysis reports for the different areas of aviation, preparation of risk analysis reports on specific subjects, preparation of risk analysis for the Safety Committees of EASA, exploitation of the RIMAS methodology and preparation of analysis for the working groups of priority areas.

Development and processing of information for the GTECAS.

Legal basis:

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Regulation (EU) 376/2014 occurrence reporting in civil aviation.

Implementing Regulation (EU) 2015/1018 mandatory civil aviation occurrence classification list.

Law 1/2011 State Operational Safety Programme for Civil Aviation.

Royal Decree 1088/2020 of 9 December 2020 supplementing the regime applicable to the reporting of civil aviation occurrences.

Regulation (EU) 376/2014 occurrence reporting in civil aviation.

Implementing Regulation (EU) 2015/1018 mandatory civil aviation occurrence classification list.

Law 1/2011 State Operational Safety Programme for Civil Aviation.

Collectives:

Service providers in safety.

Data Category:

Identification data: Name, ID/ID document, telephone number, postal address, e-mail address, Digital signature, nationality, date and place of birth.

General personal data (labor): job within an organization.

Category of Recipients:

ECCAIRS-SNS data are transmitted to the ECR (European Central Occurrence Repository) upon regulatory request. The ECR belongs to the European Commission and is operated by EASA. Personal data are not transmitted.

Additionally, external requests for information are met but, under regulatory requirement, personal data is not included and the request must be motivated to improve security.

International transfers:

In the event of indications of wilful misconduct or gross negligence, the data may be forwarded to competent international authorities in the supervision of the personnel/supplier involved.

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

4. Attention to people's rights

Purposes of processing:

Respond to requests from citizens in the exercise of the rights established by the General Data Protection Regulation.

Legal basis:

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation applicable to the controller.

General Data Protection Regulation (GDPR 2016/679); Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights.

Collectives:

Natural persons who complain to AESA.

Data Category:

Name and surname, ID, address, signature, telephone.

Category of Recipients:

No data communications are planned.

International transfers:

No international data transfers are foreseen.

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

5. Ground Assistance Authorizations

Purposes of processing:

Processing of groundhandling authorisations regulated in Royal Decree 1161/1999.

Legal basis:

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Directive 96/67/EC; Royal Decree 1161/99.

Law 21/2003 of 7 July 2003 on Air Safety.

Collectives:

Groundhandling agents and their representatives.

Airport managers.

Data Category:

Identification data of the staff of legal or natural persons and their representatives.

Operational and economic data of the entities.

Category of Recipients:

AENA.

Contact details may be shared with organisations with which EASA participates in EASA-driven aviation safety projects.

International transfers:

No international data transfers are foreseen.

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

6. Aerodrome Certificates

Purposes of processing:

Procedures for:

Authorisation,
Certification,
Change management
Regulatory control inspection
Development, dissemination and verification of safety directives

Suspension, limitation or revocation of certificates of airports certified under the scope of European regulations.

Legal basis:

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Basic Regulation (EU) 2018/1139 and its implementing regulation: Regulation (EU) 139/2014.

Royal Decree 1070/2015.

Collectives:

Airport managers certified for public use.

Platform Management Service Providers.

Data Category:

Personal data of the applicant and inspected.

Technical and operational data of the managed facilities.

Category of Recipients:

Airport managers certified for public use.

Platform Management Service Providers.

International transfers:

No international data transfers are foreseen.

Deletion period:

The following shall be kept for the time necessary to comply with the provisions of the implementing legislation: Regulation (EU) 139/2014.

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

7. Consultations

Purposes of processing:

Consultations of an informative nature in relation to issues related to the technical issues within the competence of AESA through the contact form or any other incident management system.

Legal basis:

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Royal Decree 184/2008 of 8 February 2008 approving the Statute of the State Aviation Safety Agency.

Law 39/2015 of 1 October 2015 on the common administrative procedure of public administrations.

Law 40/2015 of 1 October 2015 on the legal regime of the public sector.

Collectives:

Citizens, Entities.
In-house and external staff serving in AESA

Data Category:

Name and surname, ID / NIF / Identification document, email address.

Category of Recipients:

No data communications are planned.

International transfers:

No international data transfers are foreseen.

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

8. Expert Data

Purposes of processing:

The personal data, including images and sounds, collected in this section will be used for participation in international forums and working groups in which EASA has a presence, as well as for the implementation and development of activities and projects (hereinafter, activities) coordinated by EASA's International Strategy Department. This coordination function is supported by the contracts, agreements and agreements (hereinafter, agreement(s)) signed by AESA with international organizations, competent authorities and entities, both Spanish and foreign (hereinafter, body(s)), as well as in the competences that the regulations attribute to AESA. In such agreements and working groups, EASA participates individually or in partnership with other institutions, bodies, agencies and entities, both public and private, whose activities relate to technical aspects of civil aviation.

Legal basis:

GDPR: 6.1.a) The data subject consented to the processing of his or her personal data for one or more specific purposes.

GDPR: 6.1.b) Processing necessary for the execution of a contract to which the interested person is a party or for the application at the request of the latter of pre-contractual measures.

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Law 21/2003 of 7 July 2003 on Air Safety.

Royal Decree 184/2008 Statute of the State Aviation Safety Agency.

Law 25/2014, of 27 November, on Treaties and other International Agreements.

Regulation (EU) 2018/1139 of the EUROPEAN PARLIAMENT AND OF THE COUNCIL of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency.

Collectives:

Staff working with AESA, in their capacity as public officials or on assignment, as well as staff belonging to bodies involved in activities referred to in the ‘purposes of processing’ section of this register.
Personnel carrying out technical research activities and aeronautical organisations that are certified/supervised.
Staff participating in international forums and working groups.

Data Category:

With regard to staff belonging to bodies:

Personal data: name and surname, ID/NIF or identification document, telephone number and email address.

Employment data: name of the entity or body to which it belongs and position held.

Academic and professional data: training, qualifications and, where appropriate, curriculum vitae.

Image and sound derived from participation in online/face-to-face meetings/events.

Staff working with EASA, in their capacity as public officials or on assignment:

Personal data: name and surname, ID / NIF or identification document, address, telephone, contact in case of emergency and email address.

Academic and professional data: training, qualifications and curriculum vitae.

Economic-financial data: country of tax residence, bank information.

Image and sound derived from participation in online/face-to-face meetings/events.

Category of Recipients:

Personal data will be processed solely for the purpose of documenting the execution of activities carried out by AESA in international forums and working groups, as well as those activities derived from the agreements referred to in the "End of processing" of this register and the mission and objectives of AESA, as well as to record procedures and archive historical events. The images and audio recordings collected may also be published in digital publications, on corporate websites such as social media accounts, by the agency and AESA, and will be stored securely in compliance with the relevant data protection laws. Likewise, personal data will not be disclosed to third parties without the consent of the interested party, unless required by law, without prejudice to a possible transfer to bodies responsible for monitoring, auditing or inspection functions in accordance with national and European Union legislation.

In the event that staff receive payments as a result of their participation in the activities, their data will be shared with the financial institution designated by the staff themselves to receive the payment. Likewise, they will be communicated to the entity that collaborates with AESA in the administrative and financial management of the agreements (such as SENASA), to the State Agency of the Tax Administration, to the General Intervention Office of the State Administration and to the Court of Auditors.

The image and sound derived from participation in meetings and events, both face-to-face and online, will be shared with the bodies and entities in which AESA has a presence as a member of international forums or working groups, as well as those bodies that are part of the agreement to which they refer, insofar as they are necessary for the development of the activities and compliance with the agreement. Shall only be shared for dissemination purposes if the persons involved are not recognizable or if express consent has been obtained.

International transfers:

The data of the personnel involved in the activities will be shared, as appropriate, with the bodies party to the agreement to which they refer, as well as with those bodies and entities in which AESA has a presence as a member of international forums or working groups. This action will be carried out in accordance with the provisions of the EASA strategic plan and the agreements signed, in order to facilitate the implementation of these activities.

Deletion period:

The personal data will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from said purpose and the processing of the data itself. For this purpose, the provisions of the agreements signed by AESA as provided in the section "purposes of treatment" of this treatment will apply, as well as the current regulations and procedures of AESA, applicable to archives and conservation of documentation.

The data of the staff may be kept for future training actions, unless the owner of the data requests its deletion.

In the case of remunerated activities, the data will be kept under the provisions of Law 58/2003, of December 17, General Tax Law.

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

9. Complaints

Purposes of processing:

The management of complaints, to respond to requests for information arising from the courts in its area of competence and properly manage requests for information from the Confidential Reporting System (hereinafter, CSR) of EASA.

The drafting of the corresponding proposal to initiate penalty proceedings or the closure of the same.

Legal basis:

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation applicable to the controller.

Law 21/2003 of 7 July 2003 on Air Safety.

Law 39/2015 Common Administrative Procedure of Public Administrations.

Collectives:

Citizens in general.

Data Category:

Identification data: Name, ID / Identification document, address, e-mail, signature, position and Data related to the document presented.

Category of Recipients:

Other public administrations of Spain or the European Union that are interested parties.

International transfers:

No international data transfers are foreseen.

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

10. Passenger rights

Purposes of processing:

Inspections and handling of complaints under the Passenger Rights Regulations (EC) 261/2004 and (EC) 1107/2006.

The data corresponding to this treatment will also be used for the treatment 12. Surveys and studies, the holders of the data being able to oppose such treatment.

Legal basis:

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Regulation (EC) No 261/2004 of the European Parliament and of the Council of 11 February 2004 establishing common rules on compensation and assistance to passengers in the event of denied boarding and of cancellation or long delay of flights, and repealing Regulation (EEC) No 295/91.

Regulation (EC) No 1107/2006 of the European Parliament and of the Council of 5 July 2006 concerning the rights of disabled persons and persons with reduced mobility when travelling by air.

Law 21/2003 of 7 July 2003 on Air Safety.

Law 7/2017 of 2 November 2017 transposing Directive 2013/11/EU of the European Parliament and of the Council of 21 May 2013 on alternative dispute resolution for consumer disputes into Spanish law.

Collectives:

Passengers and Companies.

Data Category:

Name and surname, ID / NIF / Identification document, address, telephone and signature.

Other information: those contained in the complaint.

Category of Recipients:

Airlines, Airport Managers, Other Public Administrations, Other European Authorities, Competent Courts.

International transfers:

Air carriers from third countries.

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

11. Issuance of approvals and responsible declarations

Purposes of processing:

Issuance of Certificates, Authorizations and Approvals, and verification of Responsible Declarations.

Processing of applications for leases of aircraft and/or third country operators.

Registration of UAS operators, declaration of standard scenario and issuance of operating authorisations.

Declaration responsible for the placing on board of aircraft fuel by packaging.

Legal basis:

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Royal Decree 98/2009 Regulation on aeronautical inspection.

Regulation (EU) 965/2012 technical requirements and administrative procedures relating to air operations.

Regulation (EU) No 1321/2014 on the continuing airworthiness of aircraft and aeronautical products, parts and appliances, and on the approval of organisations and personnel involved in those tasks."

Regulation (EU) 748/2012 on the airworthiness and environmental certification of aircraft and related products, parts and appliances, and on the certification of design and production organisations

Royal Decree 660/2001 regulating the certification of civil aircraft and related products and parts.

Royal Decree 750/2014 regulating aerial firefighting, search and rescue activities and establishing airworthiness and licensing requirements for other aeronautical activities.

Royal Decree 1591/1999 regulates the registration and use of ultralight aircraft and modifies the registration of private non-commercial aircraft.

Regulation (EU) 2018/395 laying down detailed rules for the operation of balloons.

Implementing Regulation (EU) 923/2012 Air Regulation and Common Operational Provisions for Air Navigation Services and Procedures.

Royal Decree 765/2022 of 20 September 2022 regulating the use of ultra-light motorised aircraft (ULM).

Royal Decree 1919/2009 regulates the aeronautical safety of civil air demonstrations.

Royal Decree 57/2002 Air Traffic Regulations.

Commission Regulation (EU) 2018/1976 of 14 December on operations with sailplanes.

Regulation (EU) 965/2012 technical requirements and administrative procedures relating to air operations.

Regulation (EC) 1008/2008 common rules for the operation of air services in the Community.

Regulation (EU) 452/2014 technical requirements and administrative procedures for air operations of third country operators.

Regulation (EU) 2015/1088 maintenance procedures for general aviation aircraft.

Implementing Regulation (EU) 2019/947 rules and procedures for the use of unmanned aircraft.

RD 1036/2017 civilian use of remotely piloted aircraft.

Law 39/2015 of 1 October 2015 on the Common Administrative Procedure of Public Administrations.

Collectives:

Air Operators.

Airworthiness Maintenance Management Organizations (CAMO/CAO).

Aircraft design and production organizations.

Organizations / Aircraft Maintenance Center.

Training Centres for Aircraft Maintenance Technicians (Part 147).

Pilots owning aircraft.

Aircraft amater builders.

Ramp inspection training centres.

Applicant for approval of aerial demonstration.

UAS operators and UAS pilot training entities.

Data Category:

Name and surname / Company name, ID / Identification document, Postal address, E-mail address, Telephone, Image, Video, Nationality.

Category of Recipients:

Eurocontrol (only in the case of RVSM approvals).

Other EASA Authorities.

Courts.

State Security Forces and Bodies.

Other Administrations where applicable.

Contact details may be shared with organisations with which EASA participates in EASA-driven aviation safety projects.

International transfers:

No international data transfers are foreseen.

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

12. Surveys and studies

Purposes of processing:

Know the opinion of users and improve the quality of services, bodies and agencies of the General State Administration.

Carry out studies of demand analysis and evaluation of user satisfaction with the services for which EASA is responsible, using qualitative and quantitative research techniques.

Legal basis:

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Law 21/2003 of 7 July 2003 on Air Safety.

Royal Decree 184/2008 of 8 February 2008 approving the Statute of the State Aviation Safety Agency.

Law 39/2015 of 1 October 2015 on the Common Administrative Procedure of Public Administrations.

Royal Decree 951/2005 of 29 July 2005 establishing the general framework for improving quality in the General State Administration.

Collectives:

Citizens, Entities.

Data Category:

Name and surname, e-mail.

Category of Recipients:

No data communications are planned.

International transfers:

No international data transfers are foreseen.

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

13. Environmental assessment and noise

Purposes of processing:

Development of substantive body work in the processing of environmental impact assessment of airport infrastructure projects within the competence of the State, civil flight procedures and airspace changes.

Supervision and inspection of compliance with the Resolutions of the Environmental Body in airport infrastructure projects within the competence of the State, civil flight procedures and airspace changes as a substantive body.

Supervision of compliance with noise obligations in airport infrastructures within the competence of the State.

Procedure for establishing operating restrictions at airports.

Legal basis:

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Law 21/2013 on environmental assessment.

Law 27/2006 regulates the rights of access to information, public participation and access to justice in environmental matters.

Royal Decree 310/2022 completes the legal regime for the approval of airspace changes and civil flight procedures.

Law 37/2003 on Noise.

Royal Decree 1367/2007 implementing Law 37/2003 on Noise, with regard to acoustic zoning, quality objectives and acoustic emissions.

Regulation (EU) 598/2014 on the establishment of rules and procedures with regard to the introduction of noise-related operating restrictions at Union airports within a balanced approach.

Collectives:

Promoters of airport infrastructures within the competence of the State (public or restricted use).

Airport infrastructure managers within the competence of the State (public or restricted use).

Promoters of airspace changes and/or civil flight procedures, natural or legal persons involved in public information procedures.

Airport managers having more than 50000 movements of civil aircraft per calendar year.

Data Category:

Name and surname, ID / Identification document, Postal address, E-mail address, Telephone, data, technical studies and monitoring reports of environmental conditions related to the projects.

Measurements and technical studies related to noise levels, as well as operational data of the infrastructure.

Category of Recipients:

Ministry for Ecological Transition and Demographic Challenge.

Specific case only for data and technical studies: Public administrations affected (AGE, Autonomous Communities, Municipalities, etc.), natural or legal persons interested in the possible significant effects of the project, general public, under Law 27/2006.

European Commission.

International transfers:

No international data transfers are foreseen.

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

14. Training

Purposes of processing:

Conduct of the examinations, the management of which is provided for in Regulation (EU) 1321/2014 Part 66.

Conduct of examinations the management of which is laid down in Regulation (EU) 1178/2011 Part FCL.

Approval of ATC training plans and courses.

Issuance of initial certification and/or amendment of certificates of ATC and AFIS training organisations.

Management of pilot training organisations, remote pilots, cabin crew (TCP), risk-free transport of dangerous goods by air (MMPP) training programmes and language proficiency assessment centres, including personal data for the allocation of positions within organisations.

Organisation of AVSEC training activities.

Management of the training responsibility of AESA within the framework of the AVSAF project.

Internal Training Inspectors.

Legal basis:

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Regulation (EU) No 1321/2014 on the continuing airworthiness of aircraft and aeronautical products, parts and appliances and on the approval of organisations and personnel involved in those tasks.

Regulation (EU) 2015/340 technical requirements and administrative procedures relating to air traffic controllers’ licences and certificates.

Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency.

Commission Regulation (EU) 1178/2011 of 3 November 2011 laying down technical requirements and administrative procedures related to civil aviation aircrew.

Commission Implementing Regulation (EU) 2018/1976 of 14 December 2018 laying down implementing rules for the operation of sailplanes.

Commission Implementing Regulation (EU) 2018/357 of 13 March 2018 laying down detailed rules for the operation of balloons.

Royal Decree 765/2022 of 20 September 2022 regulating the use of ultra-light motorised aircraft (ULM).

National Civil Aviation Safety Programme and National Civil Aviation Training Programme.

Basic Regulation (EU) 2018/1139 and its implementing regulation Regulation (EU) 139/2014.

Regulation (EU) 139/2014.

Royal Decree 1133/2010.

Royal Decree 98/2009 of 6 February 2009 approving the Aeronautical Inspection Regulation.

Royal Decree: Royal Decree 517/2024, of June 4, which develops the legal regime for the civil use of unmanned aircraft systems (UAS).

Implementing Regulation (EU) 2019/947 rules and procedures for the use of unmanned aircraft.

Collectives:

Training organisations.

Remote pilot training organizations.

Training centres for aeronautical personnel and their personnel.

Language proficiency assessment centres and their staff.

AVSEC instructors.

Civil aviation security officers.

Instructor staff of AVSAF Training Organizations.

Airport employees who need to take the AVSAF exam.

AVSEC instructors.

Civil aviation security officers.

Private security guards.

Data Category:

Identification data: name and surname, ID or passport, telephone, postal address, email, digital signature, nationality, image.

General personal data (labor): position of the person, job within an organisation; Academics: training carried out.

Identification data: name and surname, ID card or passport, telephone number, postal address, e-mail address, digital signature, nationality, date and place of birth.

General personal data (labor): position of the person, job within an organisation; Academics: training carried out.

Category of Recipients:

Other EASA Authorities on request.

European Commission.

Instructor staff of AVSAF Training Organizations.

Airport employees who need to take the AVSAF exam.

International transfers:

No international data transfers are foreseen.

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

15. HR Management

Purposes of processing:

Management of personnel, civil servants and workers, assigned to AESA.

Personal file. Time control. Incompatibilities. Training. Pension plans. Social action. Prevention of occupational risks. Disciplinary regime. Management of the protocol of sexual harassment, harassment based on sex, harassment based on sexual orientation or harassment based on gender identity and expression.

Issuance of the payroll of the Agency's staff, as well as of all the products derived from it.

Economic management of social action and obtaining statistical or case studies aimed at the economic management of staff.

Management of trade union activity in the Agency.

Legal basis:

GDPR: 6.1.b) Processing necessary for the execution of a contract to which the interested person is a party or for the application at the request of the latter of pre-contractual measures.

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation applicable to the controller.

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Law 30/1984 of 2 August 1984 on measures to reform the civil service.

Law 31/1995 of 8 November 1995 on the prevention of occupational risks.

Organic Law 3/2007, of 22 March, for the effective equality of men and women.

Royal Legislative Decree 5/2015 of 30 October 2015 approving the Law on the Basic Statute of Public Employees.

Royal Legislative Decree 2/2015 of 23 October 2015 approving the recast text of the Law on the Workers’ Statute.

Law 3/2018, Protection of personal data and guarantee of digital rights.

Collectives:

Work and civil servants, and their families, assigned to AESA.

Data Category:

Name and surname, ID / CIF / Identification document, personnel registration number, Social Security number / Mutuality, address, signature and telephone.

Special categories of personal data: health data (health leave, accidents at work and degree of disability, excluding diagnoses), trade union membership (for the exclusive purpose of paying trade union fees, if applicable), trade union representative (if applicable), proof of attendance from own and third parties.

Personal Characteristics Data: Sex, marital status, nationality, age, date and place of birth and family data. Family circumstances data: Date of registration and cancellation, licenses, permits and authorizations.

Academic and professional data: Qualifications, training and professional experience.

Details of employment and administrative career. Incompatibilities.

Presence control data: date/time of entry and exit, reason for absence.

Economic-financial data: Economic data of payroll, credits, loans, guarantees, tax deductions, loss of assets corresponding to the previous job (if applicable), judicial withholdings (if applicable), other withholdings (if applicable). Bank details.

Other information: data on social action, data on civil service sanctions.

Category of Recipients:

National Institute of Public Administration.

Central Personnel Register.

Entity entrusted with the management of occupational risks.

National Institute of Social Security and mutual societies of civil servants.

Management entity and depository of the Pension Plan of the General State Administration.

General Treasury of Social Security.

Directorate-General for Personnel Costs and Public Pensions.

Orphan Colleges.

Trade union organisations.

Financial institutions.

State Agency for Tax Administration.

General Intervention of the State Administration.

Court of Auditors.

Public Prosecutor’s Office.

Courts.

State Security Forces and Bodies.

International transfers:

No international data transfers are foreseen.

Deletion period:

They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from said purpose and the processing of the data. The provisions of the archives and documentation regulations shall apply.

The economic data of this processing activity will be kept under the provisions of Law 58/2003, of December 17, General Taxation.

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

16. Event management and data integration

Purposes of processing:

Collection and treatment of events reported to the SNS. Anonymization of notifications, risk classification and preparation of the list of most relevant events. Verification of the quality and purpose of the information provided. Provision of data to other EASA or external units.

Compilation and treatment of indicators reported periodically by the WEIGHT Indicators Program. Verification of the quality and purpose of the information provided. Provision of data to other EASA units.

Acquisition, processing and provision of information from other internal and external data sources to facilitate risk analysis activities.

Legal basis:

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Regulation (EU) 376/2014 occurrence reporting in civil aviation.

Implementing Regulation (EU) 2015/1018 mandatory civil aviation occurrence classification list.

Law 1/2011 State Operational Safety Programme for Civil Aviation.

Royal Decree 1088/2020 of 9 December 2020 supplementing the regime applicable to the reporting of civil aviation occurrences.

Collectives:

Safety service providers, external requesters of information and internal requesters of access to restricted access applications.

Data Category:

Identification data: name, ID/ID card, telephone number, postal address, e-mail address, digital signature, nationality, date and place of birth.

General personal data (labor): job within an organization.

Category of Recipients:

Additionally, external requests for information are met but, under regulatory requirement, personal data is not included and the request must be motivated to improve security.

International transfers:

In case of indications of wilful intent or gross negligence, the data may be forwarded to competent international authorities in the supervision of the personnel/suppliers involved.

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

17. Budgetary and economic management

Purposes of processing:

Processing of expenditure and revenue files derived from the execution of AESA's budget and its sanctioning activity.

Legal basis:

GDPR: 6.1.b) Processing necessary for the execution of a contract to which the interested person is a party or for the application at the request of the latter of pre-contractual measures.

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation applicable to the controller.

Royal Legislative Decree 2/2015 of 23 October 2015 approving the recast text of the Law on the Workers’ Statute.

Royal Legislative Decree 5/2015 of 30 October 2015 approving the Law on the Basic Statute of Public Employees.

Law 9/2017, of 8 November, on Public Sector Contracts.

Law 47/2003, of 26 November, General Budget.

Law 58/2003, of 17 December, General Tax Law.

General Public Accounting Plan in relation to the First Final Provision of Law 16/2007, of 4 July.

Royal Decree 462/2002 of 24 May 2002 on compensation for service.

Law 38/2003, of 17 November, General Subsidies.

Law 40/2015, of 1 October, on the Legal Regime of the Public Sector.

Collectives:

Staff, civil servants and employees of AESA, suppliers, beneficiaries of grants or scholarships, sanctioned persons, tenderers.

Data Category:

Name and surname, ID / Identification document, address, signature and telephone.

Employment detail data: work station.

Economic, financial and insurance data: Bank details.

Category of Recipients:

Financial institutions.

State Agency for Tax Administration.

General Intervention of the State Administration.

Court of Auditors.

For tenderers and signatories of contracts with EASA:

State procurement platform.

Public register of contracts.

International transfers:

No international data transfers are foreseen.

Deletion period:

They will be kept for the time necessary to comply with the purpose for which they were collected and to determine the possible responsibilities that may arise from said purpose and the processing of data, in accordance with Law 58/2003, of December 17, General Tax, in addition to the periods established in the regulations of archives and documentation.

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

18. Ground Assistance Inspections

Purposes of processing:

Carrying out ground handling inspections.

Legal basis:

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Directive 96/67/EC; Royal Decree 1161/99.

Law 21/2003 of 7 July 2003 on Air Safety.

Collectives:

Groundhandling agents and their representatives.

Airport managers.

Data Category:

Identification data of the staff of legal or natural persons and their representatives.

Operational and economic data of the entities.

Category of Recipients:

Contact details may be shared with organisations with which EASA participates in EASA-driven aviation safety projects.

International transfers:

No international data transfers are foreseen.

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

19. Aeronautical Personnel Licensing

Purposes of processing:

Processing of requests and queries for driver licenses.

Renewal of the unit entries and the exchange of these if necessary.

Issuance of licenses to Aircraft Maintenance Technicians (TMA), Part 66 and national license.

Issuance and maintenance of licenses, ratings, privileges and certificates associated with the license to aeronautical personnel, for license PART FCL, PART SFCL, PART BFCL, PART CC and ULM licenses.

Cooperation in the regulation of civil aviation safety (BASA Agreement) between the United States of America and the European Community.

Certification and recertification processes of instructors, managers, EDD and security guards.

UAS pilots: A1/A3 pass test, A2 and theoretical STS certificates, theoretical radiophonist and instructors, examiners and remote pilot evaluators.

Legal basis:

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Regulation (EU) No 1321/2014 on the continuing airworthiness of aircraft and aeronautical products, parts and appliances and on the approval of organisations and personnel involved in those tasks.

Implementing Regulation (EU) 2019/947 rules and procedures for the use of unmanned aircraft.

Regulation (EU) 2015/340 technical requirements and administrative procedures relating to air traffic controllers’ licences and certificates.

Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency.

Commission Regulation (EU) 1178/2011 of 3 November 2011 laying down technical requirements and administrative procedures related to civil aviation aircrew.

Commission Delegated Regulation (EU) 2020/723 of 4 March 2020 laying down detailed rules on the acceptance of pilot certification issued by third countries.

Commission Implementing Regulation (EU) 2018/1976 of 14 December 2018 laying down implementing rules for the operation of sailplanes.

Commission Implementing Regulation (EU) 2018/357 of 13 March 2018 laying down detailed rules for the operation of balloons.

Royal Decree 123/2015, of February 27, which regulates the license and ratings of the ultralight pilot.

Royal Decree 765/2022 of 20 September 2022 regulating the use of ultra-light motorised aircraft (ULM).

National Civil Aviation Safety Programme and National Civil Aviation Training Programme.

Royal Decree 517/2024, of June 4, which develops the legal regime for the civil use of unmanned aircraft systems (UAS)

Collectives:

Air traffic controllers.

Aircraft Maintenance Technicians.

Holders or applicants of pilot license or TCP certificate under the authority of AESA.

Examiners from other EASA member states performing their duties for pilots or AESA licence applicants.

Training centres for aeronautical personnel and their personnel.

Language proficiency assessment centres and their staff.

UAS remote pilots.

Remote pilot instructors, examiners and evaluators.

Data Category:

Personal data: Name and surname/Company name, NIF/CIF, Postal address, Population, Email, Telephone, Date of birth, Nationality (foreigners only), Signature.

Photo of the DNI and recent photograph of the interested party.

Video and audio recording.

Copy of identity document (ID, NIE or Passport).

General personal data (labor): job within an organisation; Academics: training carried out, duration of the training, training centre where the training is carried out, level of achievement and qualifications, instructors and other information of a training nature.

License number, issuing country and date of issue.

Certificate of having passed the basic training and of the ratings and rating endorsements requested (according to Format LATC-15-PES-101-F07).

Certificate of passing the assessment of linguistic competence, at least in English, carried out in an assessment centre certified in accordance with the Rto. (EU) 2015/340.

Copy of valid class 3 medical certificate.

Exceed or not of psychophysical recognition to exercise the tasks granted by your license or certificate.

Data of a criminal nature, when required by the applicable regulations: general criminal record.

Category of Recipients:

Other EASA Authorities.

European Commission.

Courts.

State Security Forces and Bodies.

Other Administrations where applicable.

International transfers:

Countries included in the exchange of requirements of Regulation (EU) 2015/340 technical requirements and administrative procedures relating to air traffic controller licences and certificates.

Aeronautical authorities of third countries ICAO (non-EASA).

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

20. Aeronautical Medicine

Purposes of processing:

Issuance, renewal of the aeronautical medical certificate. Other treatments linked to the medical certificate (medical examination after refusal). Management of aero-medical centers (including data of their authorized personnel) and aero-medical examiners.

Legal basis:

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency.

Commission Regulation (EU) No 1178/2011 of 3 November 2011 laying down technical requirements and administrative procedures related to civil aviation aircrew.

Commission Regulation (EU) 2015/340 of 20 February 2015 laying down technical requirements and administrative procedures relating to air traffic controllers’ licences and certificates.

Collectives:

Holders or applicants of pilot licences or TCP certificates under the authority of EASA

Approved aeronautical medicine centers and their staff.

Aerial medical examiners.

Data Category:

Identification data: name and surname, ID / Identification document, telephone, postal address, Email, Digital signature, nationality, Image.

General personal data (labor): position of the person, job within an organisation; Academics: training carried out.

Special category data: Health-related (data related to the physical or mental health of the person; diseases, injuries, results of medical tests and examinations).

Category of Recipients:

AeMC Aeronautical Medicine Centers and AME Air Medical Examiners.

EASA aeronautical authorities.

International transfers:

No international data transfers are foreseen.

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

21. Civil Airspace Management and Flight Procedures

Purposes of processing:

Processing of applications for approval of civil flight procedures.

Establishment or modification of civil flight procedures that do not require approval.

Processing of requests for suspension of operational limitations for ULM and VLB, as well as for the determination of mandatory radio zones (RMZ), transponder (TMZ) or mandatory submission of Flight Plan (FPMZ).

Legal basis:

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Royal Decree 1180/2018 of 21 September 2018 implementing the Air Regulation and common operational provisions for air navigation services and procedures.

Royal Decree 765/2022 of 20 September 2022 regulating the use of ultra-light motorised aircraft (ULM).

Royal Decree 310/2022 of 3 May 2022 supplementing the legal regime for the approval of airspace changes and civil flight procedures.

Royal Decree 1591/1999 of 15 October 1999 regulating the registration and use of ultralight aircraft and amending the registration of private non-commercial aircraft.

Implementing Regulation (EU) 923/2012 Air Regulation and Common Operational Provisions for Air Navigation Services and Procedures.

Collectives:

Suppliers of flight procedure design and airspace management.

Data Category:

Company Data: Name of the applicant organization, Main Activity Address, Population, Postal Code.

Data of the interested party: Name, Type of identification document, Identification No.

Representative details: Name, Type of identification document, Identification No.

Contact details: Name, Type of identification document, Identification number, Address, Population, Postal code, Email, Telephone.

Category of Recipients:

Ministry of Defence of Spain.

AENA.

ENAIRE.

Other Spanish bodies.

International transfers:

No international data transfers are foreseen.

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

22. Air traffic management and air navigation service providers (ATM/ANS)

Purposes of processing:

Initial and ongoing oversight of providers of air traffic management and air navigation services (‘ATM/ANS’) and other air traffic management network (‘ATM’) functions for general air traffic, in particular for natural or legal persons providing such services and functions.

Implement common rules on air traffic flow management.

Implement aeronautical safety standards in relation to the duty times and rest requirements of civil air traffic controllers.

Issuance of an initial certificate and/or amendment of ATM/ANS certificates for providers of air traffic management/air navigation services and other air traffic management network functions and their oversight.

Legal basis:

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Implementing Regulation (EU) 2017/373 common requirements for providers of air traffic management/air navigation services and other air traffic management network functions and their oversight.

Regulation (EU) 255/2010 common rules on air traffic flow management.

RD 1001/2010 aeronautical safety standards in relation to the duty times and rest requirements of civil air traffic controllers.

Collectives:

Providers of air traffic management and air navigation services (ATM/ANS).

Data Category:

Company Data: Name of applicant organisation, Principal Activity Address, Population, Postal Code

Data of the interested party: Name, ID / Identification document.

Representative details: Name, ID / Identification document.

Contact details: Name, Type of identification document, Identification number, Address, Population, Postal code, Email, Telephone.

Category of Recipients:

Other European EASA bodies.

Contact details may be shared with organisations with which EASA participates in EASA-driven aviation safety projects.

International transfers:

No international data transfers are foreseen.

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

23. U-space service providers and common information services

Purposes of processing:

Processing of certificate issuance and modification files as a U-space service provider and common information service provider.

Legal basis:

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Implementing Regulation (EU) 2021/664 regulatory framework for U-space.

Implementing Regulation (EU) 2021/665 amending Implementing Regulation (EU) 2017/373 as regards requirements for providers of air traffic management/air navigation services and other air traffic management network functions in designated U-space airspace in controlled airspace.

Implementing Regulation (EU) 2021/666 amending Regulation (EU) 923/2012 as regards requirements for manned aviation operating in U-space airspace.

Collectives:

U-space service providers and common information services.

Data Category:

Company Data: Name of the applicant organization, Main Activity Address, Population, Postal Code.

Contact details of the representative or focal points of the service providers: Name, ID / Identification document, Address, Population, Postal code, Email, Phone.

Responsible Director: Name of the Director responsible, Name of the representative, Signature of the Director responsible.

Personal identification data CTA: Name and surname, DNI / Identification document.

CTA health data: Situation of psychophysical decrease (although no more information is required, sometimes they provide us with specific medical data).

Category of Recipients:

Other EASA Authorities.

CIDETMA.

International transfers:

No international data transfers are foreseen.

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

24. Provision of jobs

Purposes of processing:

Selection of staff and provision of jobs through public calls.

Legal basis:

GDPR: 6.1.b) Processing necessary for the execution of a contract to which the interested party is a party or for the application at its request of pre-contractual measures.

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation applicable to the controller.

Royal Legislative Decree 5/2015 of 30 October 2015 approving the Law on the Basic Statute of Public Employees.

Royal Legislative Decree 2/2015 of 23 October 2015 approving the recast text of the Law on the Workers’ Statute.

Collectives:

Candidates submitted to procedures for the provision of jobs.

Data Category:

Name and surname, ID / Identification document, personnel registration number, address, signature and telephone.

Special categories of personal data: health data.

Personal Characteristics Data: sex, marital status, nationality, age, date and place of birth and family data.

Academic and professional data: Qualifications, training and professional experience.

Details of employment and administrative career.

Category of Recipients:

To the Central Personnel Register.

Directorate-General for the Civil Service.

Official State Gazette.

International transfers:

No international data transfers are foreseen.

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

25.Complaints and suggestions

Purposes of processing:

Registration and processing of complaints and suggestions submitted in relation to the action of AESA, in accordance with the provisions of Law 39/2015 and 40/2015, and developed by Royal Decree 951/2005, of 29 June, establishing the general framework for improving quality in the General State Administration.

Legal basis:

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation applicable to the controller.

Law 39/2015 of 1 October 2015 on the common administrative procedure of public administrations.

Law 40/2015 of 1 October 2015 on the legal regime of the public sector.

Collectives:

People who go to EASA and staff, civil servants and workers, of the Agency.

Data Category:

Name and surname, ID / NIF / Identification document, address, telephone and signature.

Other information: those contained in the complaint or suggestion.

Category of Recipients:

Other Administrations, where applicable.

Ombudsman if the complaint has been lodged with the Ombudsman.

International transfers:

No international data transfers are foreseen.

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

26. Radio beacons

Purposes of processing:

Emergency aeronautical beacon record (ELT) of 406MHz.

Legal basis:

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Regulation (EU) 965/2012 technical requirements and administrative procedures relating to air operations.

Collectives:

Operators, owners of aircraft in the civil aeronautical environment and personnel of search and rescue services.

Data Category:

Company Data: Name of the applicant organization, Main Activity Address, ID / Identification Document, Population, Postal Code, Registered address.

Contact details: Name, Address, Population, Postal Code, Email, Telephone, DNI / Identification document.

Responsible Director: Name of the responsible director, Name of the representative, Signature of the responsible director, Signature of the applicant.

Category of Recipients:

No data communications are planned.

International transfers:

No international data transfers are foreseen.

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

27.Internal regime

Purposes of processing:

Management of the internal regime of the Agency. Security of facilities, property and natural persons. Preventive and corrective maintenance of premises and facilities.

Legal basis:

GDPR: 6.1.d) the processing is necessary to protect vital interests of the person concerned or of another natural person.

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights.

Collectives:

Own and external staff serving at EASA headquarters.

Data Category:

Name and surname, DNI / Identification document.

Employment detail data: jobs.

Other information: username, password.

Category of Recipients:

Where applicable, bodies or service providers related to the protection of persons, goods or services.

International transfers:

No international data transfers are foreseen.

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

28.Registration of Civil Aircraft

Purposes of processing:

Registration of civil aircraft as well as recordable documents and documents.

Legal basis:

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Law 48/1960, of 21 July, on Air Navigation.

Royal Decree 384/2015 of 22 May 2015 approving the Regulation on the registration of civil aircraft.

Collectives:

Air companies and operators (pilot schools and aerial work companies, among others). Citizens.

Data Category:

Name and surname, ID / Identification document, Postal address, E-mail address, Telephone.

Category of Recipients:

State Agency for Tax Administration (AEAT).

General Treasury of Social Security.

Courts.

State Security Forces and Bodies.

Other Administrations where applicable.

International transfers:

No international data transfers are foreseen.

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

29. Sanctioning agents

Purposes of processing:

Develop activities related to the processing of penalty proceedings, which derive from the exercise of sanctioning powers in civil aviation.

Legal basis:

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Law 21/2003 of 7 July 2003 on Air Safety.

Royal Decree 184/2008 Statute of the State Aviation Safety Agency.

Collectives:

Natural persons, including representatives of legal persons, affected by the sanctions imposed by EASA.

Data Category:

Identification data: name, ID, address, e-mail, signature, position and Data related to the document submitted.

Category of Recipients:

Judicial authority, Public Prosecutor's Office or the competent administrative authority in the framework of criminal, disciplinary or sanctioning investigation.

International transfers:

No international data transfers are foreseen.

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

30. Security

Purposes of processing:

Carrying out regulatory control actions, supervision actions and reports.

Issuance of type A and type B aeronautical inspection cards

Certification processes:

AVSEC Instructor Certification Procedure.

AVSEC C1, C2, C3a and C3b Safety Watchers Certification Procedure.

Procedure for Certification of Equipment of Explosive Detecting Dogs (EPDE).

Certification Procedure for Airport Security Officers (RSA).

Certification Procedure for Heads of Airline Safety (RSLA).

Accredited Agent Security Officers Certification Procedure (AVSEC-RA).

Certification Procedure for Security Managers of Known Shippers (AVSEC-KC).

Civil Aviation Information Security Officers (RSIAC).

Legal basis:

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

National Security Program for Civil Aviation.

Law 21/2003 of 7 July 2003 on Air Safety.

Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008.

Royal Decree 98/2009 of 6 February 2009 approving the Aeronautical Inspection Regulation.

Collectives:

Airport managers certified for public use.

Verified airport managers for public use.

Air carriers.

Groundhandling agents.

Accredited agents.

Known consignors.

Accredited Suppliers.

Known Suppliers.

Air Navigation Service Providers.

Instructors and AVSEC managers.

Private security companies.

Agencies or Entities that apply security controls in accordance with the National Security Program for Civil Aviation.

Data Category:

Entities mentioned in the collective column.

Operational data of the entities.

Identification data of the personnel of the entities.

Category of Recipients:

In certification processes, training centers and companies (work experience) of those specified by the applicant for data verification.

In processes of assessment of suitability of the worker in the field of civil aviation to the Ministry of the Interior.

International transfers:

No international data transfers are foreseen.

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

31.Building Security

Purposes of processing:

Ensure the safety of people, goods and facilities.

Registration and control of visits. Management of access cards.

Legal basis:

GDPR: 6.1.d) the processing is necessary to protect vital interests of the person concerned or of another natural person.

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights.

Collectives:

Own and external staff serving the Agency.

Natural persons or representatives of legal persons who come to the seat of the Agency to make various representations.

AESA staff with access card.

Data Category:

Peripheral recording of images of the vicinity and entrances to the building. Recording of restricted access areas of the headquarters.

Visit control: Name and surname, DNI / Identification document.

Access cards: Name and surname, ID / Identification document, access authorized by the person in charge.

Category of Recipients:

State Security Forces and Bodies.

International transfers:

No international data transfers are foreseen.

Deletion period:

In one month from the date of collection.

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

32. Aeronautical services

Purposes of processing:

The servitude procedures establish how to respond to requests for prior agreement for elements under servitude or greater than 100 meters, as well as the treatment of complaints about these elements and the inspection activity of these elements.

Legal basis:

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

RD 584/1972 - RD369/2023.

Law 21/2003 of 7 July 2003 on Air Safety.

Collectives:

Applicant natural or legal persons.

Town halls.

Data Category:

Personal data of the applicant, reported, whistleblower and inspected.

Technical data of the elements (coordinates, heights, etc.)

AENA and ENAIRE reports with technical and operational data.

Category of Recipients:

Airport managers (AENA and others)

ENAIRE

Defence

Municipalities

AIS.

International transfers:

No international data transfers are foreseen.

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

33. Internal Information and Protection System of the Reporter

Purposes of processing:

Management of the information provided for by Law 2/2023.

Legal basis:

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation applicable to the controller.

Law 2/2023 of 20 February on the protection of persons who report breaches of regulations and the fight against corruption.

Collectives:

Reporting persons, affected persons and third parties mentioned in the information received, or who are required to collaborate in the investigations as witnesses or providing reports and data.

Data Category:

Name and surname, ID / Identification document, address, telephone and signature.

Other information: those included in each information received, or those incorporated during its processing.

Category of Recipients:

Judicial authority, Public Prosecutor’s Office, European Public Prosecutor’s Office or competent administrative authority in the framework of a criminal, disciplinary or sanctioning investigation.

International transfers:

No international data transfers are foreseen.

Deletion period:

They will be kept for as long as is necessary to fulfil the purpose for which they were collected and to determine any possible liabilities that may arise from that purpose and from the processing of the data. The provisions of the archives and documentation regulations shall be applicable.

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

34. Airport and Aerodrome Supervision

Purposes of processing:

These procedures articulate the authorization or verification according to the type of airport (non-certified public use or restricted use), change management and regulatory control inspection of airports.

Legal basis:

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

RD 862/2009 AND RD1070/2015.

Law 21/2003 of 7 July 2003 on Air Safety.

Collectives:

Airport managers of facilities for public use.

Airport managers of facilities for restricted use (can be any applicant natural or legal person).

Data Category:

Personal data of the applicant and inspected.

Technical and operational data of the managed facilities.

Category of Recipients:

Airport managers.

ENAIRE.

Defense.

AIS.

International transfers:

No international data transfers are foreseen.

Deletion period:

They will be kept for as long as necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from said purpose and the processing of the data. The provisions of the archives and documentation regulations shall apply.

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

35. DORA and SLOTS supervision

Purposes of processing:

Carrying out inspections and reports.

Legal basis:

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

DORA: Law 18/2014 and Resolution Council of Ministers DORA.

SLOTS: Regulation EU 95/93, RD 20/2014, Order FOM/1050/2014.

Collectives:

Aena and slot coordinator (AECFA).

Data Category:

Entities: AENA and AECFA.

Operational and economic data of the entities.

Identification data of personnel of the entities.

Category of Recipients:

No data communications are planned.

International transfers:

No international data transfers are foreseen.

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

36. Economic supervision and performance of Air Navigation

Purposes of processing:

Supervision of the performance and charging of air navigation services and network functions.

Supervision of the economic and financial capacity of air navigation service providers and air traffic flow management providers, as well as training organisations.

Supervise the safe, effective, continuous and economically and financially sustainable provision of AFIS services.

Legal basis:

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Implementing Regulation (EU) 2019/317 performance and charging scheme in the single European sky.

Common Implementing Regulation (EU) 2017/373 for providers of air traffic management/air navigation services and other air traffic management network functions and their oversight.

Regulation (EU) 2015/340 technical requirements and administrative procedures relating to air traffic controllers’ licences and certificates.

Royal Decree 1133/2010.

Collectives:

Air navigation service providers.

Training organisations.

Data Category:

Company Data: Name of the requesting organization, E-mail, Address, Population, Postal code, Telephone.

Contact details: Name, DNI/NIE, Address, Population, Postal code, Email, Telephone.

Category of Recipients:

The European Commission.

Other European EASA bodies.

International transfers:

No international data transfers are foreseen.

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

37. Fees and Collection

Purposes of processing:

Management and enforcement of sanctions imposed by EASA.

Management of AESA's competition rates.

Legal basis:

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation applicable to the controller.

Law 21/2003 of 7 July 2003 on Air Safety.

Law 58/2003, of 17 December, General Tax Law.

Collectives:

Natural persons, including persons representing legal persons, for sanctions imposed by EASA.

Data Category:

Name and surname, ID / Identification document, address and telephone.

Bank details.

Data on their economic activity and solvency.

Category of Recipients:

Financial institutions.

State Agency for Tax Administration.

General Intervention of the State Administration.

Court of Auditors.

International transfers:

No international data transfers are foreseen.

Deletion period:

The economic data will be kept in accordance with the provisions of Law 58/2003, of December 17, General Tax Law.

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

38. Transparency

Purposes of processing:

Register and process requests for access to information made by citizens under Law 19/2013, of December 9, on transparency, access to information and good governance.

The data of other people that are included in the transparency requests and that are considered third parties according to article 19.3 of the aforementioned Law are included.

Legal basis:

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation applicable to the controller.

Law 19/2013, of 9 December, on Transparency, Access to Public Information and Good Governance.

Collectives:

Requesters of public information.

Third parties.

Data Category:

Name and surname, ID / Identification document, address, telephone and signature.

Category of Recipients:

Council of Transparency and Good Governance, judicial bodies, Attorney General of the State.

International transfers:

No international data transfers are foreseen.

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

39. Supervision ex officio

Purposes of processing:

Carry out audits and inspections, within the scope of the regulatory control actions of the Aeronautical Inspection Regulation RD 98/2009.

Legal basis:

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Regulation (EU) 2018/1139 common rules in the field of civil aviation.

Royal Decree 98/2009 Regulation on aeronautical inspection.

Regulation (EU) 965/2012 technical requirements and administrative procedures relating to air operations.

Regulation (EU) No 1321/2014 on the continuing airworthiness of aircraft and aeronautical products, parts and appliances and on the approval of organisations and personnel involved in those tasks.

Regulation (EU) 2019/1383 amending and correcting Regulation (EU) 1321/2014

Royal Decree 1591/1999 registering and using ultralight aircraft and amending the register of private non-commercial aircraft.

Regulation (EU) 2018/395 laying down detailed rules for the operation of balloons.

Royal Decree 1919/2009 regulates the aeronautical safety of civil air demonstrations.

Commission Regulation (EU) 2018/1976 of 14 December on operations with sailplanes.

Royal Decree 750/2014 regulates aerial firefighting and search and rescue activities and establishes airworthiness and licensing requirements for other aeronautical activities.

Regulation (EC) 1008/2008 common rules for the operation of air services in the Community.

Implementing Regulation (EU) 2019/947 rules and procedures for the use of unmanned aircraft.

RD 1036/2017 civilian use of remotely piloted aircraft.

Collectives:

Air Operators.

Airworthiness Maintenance Management Organizations (CAMO/CAO).

Aircraft design and production organizations.

Organizations / Aircraft Maintenance Center.

Training Centres for Aircraft Maintenance Technicians (Part 147).

Pilots owning aircraft.

Amateur aircraft builders.

Ramp inspection training centres.

UAS operators and UAS pilot training entities.

Data Category:

Name and surname / Company name, NIF, Postal address, E-mail address, Telephone, Image, Video, Nationality.

Category of Recipients:

Eurocontrol (only in the case of RVSM approvals).

Other EASA Authorities.

Courts.

State Security Forces and Bodies.

Other Administrations where applicable.

Contact details may be shared with organisations with which EASA participates in EASA-driven aviation safety projects.

International transfers:

No international data transfers are foreseen.

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

40. I/O registration

Purposes of processing:

Management of the entry and exit register of documents of the State Aviation Safety Agency, in the terms provided for in Article 16 of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations.

Legal basis:

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation applicable to the controller.

Law 39/2015 of 1 October 2015 on the Common Administrative Procedure of Public Administrations.

Collectives:

Natural persons, including representatives of legal persons, who address or receive communications from the Agency. Staff of the Agency receiving or sending communications.

Data Category:

Name and surname, ID / NIF / Identification document, address, telephone and signature.

Representation data where applicable.

Data related to the submitted document.

Category of Recipients:

Administrative bodies to which, where appropriate, the request is addressed in accordance with the provisions of Article 16 of Law 39/2015.

International transfers:

No international data transfers are foreseen.

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

41. Emissions Assessment of Air Operators

Purposes of processing:

Preparation of reports for the processing of plans monitoring greenhouse gas emissions of Air Operators and the reports associated with them. Monitoring of compliance with greenhouse gas emissions monitoring schemes by air operators and verifiers.

Preparation of reports for the processing of sanctioning procedures for non-compliance with the obligations of air operators derived from greenhouse gas emissions monitoring schemes.

Preparation of reports for the determination of the free allocation of allowances linked to the European emissions trading scheme, as well as for the determination of the compensation obligations of air operators attributed to Spain within the scope of the CORSIA global scheme.

Legal basis:

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Law 13/2010, of 5 July, amending Law 1/2005, of 9 March, regulating the greenhouse gas emission allowance trading system, to improve and extend the general emissions trading system and include aviation in it.

Law 1/2005 of 9 March 2005 regulating the greenhouse gas emission allowance trading system transposed Directive 2003/87/EC of the European Parliament and of the Council of 13 October 2003 establishing a scheme for greenhouse gas emission allowance trading within the Community and amending Directive 96/61/EC into Spanish law.

Commission Implementing Regulation (EU) 2018/2066 of 19 December 2018 on the monitoring and reporting of greenhouse gas emissions pursuant to Directive 2003/87/EC of the European Parliament and of the Council and amending Commission Regulation (EU) No 601/2012.

Commission Delegated Regulation (EU) 2019/1603 of 18 July 2019 supplementing Directive 2003/87/EC of the European Parliament and of the Council with regard to measures adopted by the International Civil Aviation Organization for the monitoring, reporting and verification of aviation emissions for the purpose of implementing a global market-based measure.

Collectives:

Air operators that exceed the thresholds for ETS and/or CORSIA defined in the regulations.

Verifiers of greenhouse gas emissions.

Data Category:

Name and surname, ID / Identification document, Postal address, E-mail address, Telephone, monitoring plans and reports of greenhouse gas emissions.

Category of Recipients:

Ministry for Ecological Transition and Demographic Challenge.

European Commission.

International transfers:

Those established under Article 14(6) of Directive 2003/87.

Deletion period:

Security measures:

Entity:

State Aviation Safety Agency.

Paseo de la Castellana 112, 28046, Madrid.

To contact the DPO, go to the AESA website, under the link “Contactus”,selecting in the subject: “Consultationswith the Data Protection Officer”.

42. Legal advice

Purposes of the treatment:

General legal advice; processing of administrative procedures and processing of draft regulations.

Legal basis:

GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Government Act No. 50/1997 of 27 November 1997.

Law 21/2003 of 7 July 2003 on Air Safety.

Royal Decree 184/2008 of 8 February 2008 approving the Statute of the State Aviation Safety Agency.

Royal Decree 98/2009, of 6 February, approving the Regulation on aeronautical inspection

Law 39/2015, of 1 October, on the common administrative procedure of public administrations.

Law 40/2015 of 1 October 2015 on the legal regime of the public sector.
Collectives:

Citizens or interested in the files to which the request for legal advice affects or refers.

Data Category:

Name and surname, ID / Identification document, Postal address, E-mail address, telephone and signature.

Representation data where applicable.

Data related to the documentation submitted.

Category of Recipients:

Courts.

Public Prosecutor’s Office.

State Security Forces and Bodies.

Other Administrations where applicable.

Directorate-General for Civil Aviation.

Official State Gazette.
International transfers:

No international data transfers are foreseen.

Deletion period:

The personal data will be kept for the time necessary to fulfill the purpose for which it has been collected and to determine the possible responsibilities that may arise from said purpose and the processing of the data. The regulations on Spanish archives and documentary heritage will apply.

Security measures:

The security measures implemented correspond to those provided for in Annex II (Security Measures) of Royal Decree 311/2022, of 3 May, regulating the National Security Scheme, and which are described in the documents that make up the Agency's Data Protection and Information Security Policy.

Entity:

State Aviation Safety Agency.
Paseo de la Castellana 112, 28046, Madrid.

You can request access, rectification, deletion, opposition or limitation of the processing of personal data in the event that the requirements established in the General Data Protection Regulation are met, as well as in Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights, as indicated in the section "Exercise of the rights of the interested parties" of the "Privacy Policy and legal notice".

To contact the DPO, go to the AESA website, under the link ‘Contact us’, selecting in the subject: “Consultationswith the Data Protection Officer”.